错误描述
x.cmp.net/doc.pdf
我的集群使用 Istio 和部署在网格中的服务 (java) 之一需要使用 http 和 443 端口连接到外部资源。此外部资源使用带有主题的受信任通配符证书 (DigiCert)*.cmp.net
和cmp.net
. 当我尝试使用 openssl 验证(从应用程序容器)ssl 证书时,我正在获取Google 证书(?? istio 证书?):
opt$ **openssl s_client -showcerts -connect x.cmp.net:443**
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
---
Certificate chain
0 s:CN = *.google.com
应用程序是用java编写的,当应用程序尝试下载资源时:
No subject alternative DNS name matching shipjobmt.ista.net found.
我的配置:
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: internalnet
namespace: ppct
spec:
hosts:
- x.cmp.net
- y.cmp.net
- z.cmp.net
exportTo:
- "."
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: xinternalnet
namespace: ppct
spec:
host: x.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: yinternalnet
namespace: ppct
spec:
host: y.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: zinternalnet
namespace: ppct
spec:
host: z.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
我也有阻塞模式:
kubectl get istiooperator installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
REGISTRY_ONLY
版本
`istioctl version`
client version: 1.11.0
control plane version: 1.11.0
data plane version: 1.11.0 (65 proxies)
`kubectl version --short`
Client Version: v1.19.9
Server Version: v1.19.9
附加信息
没有反应